Black Code: Inside the Battle for Cyberspace
Page 20
The brochure provides an overview of FinSpy that amounts to a laundry list of the seamy side of cyberspace, and worthy for that reason of some considerable scrutiny:
• • • Bypassing of 40 regularly tested Anti-Virus systems. Here, Gamma insists that its FinSpy product is so advanced that it escapes the detection of forty companies whose mission it is to protect customer computers from trojan horses, viruses, and computer worms … the very same type of trojan horse being manufactured by Gamma itself! FinSpy is a “zero-day” vulnerability; that is, its “signature” has not yet been discovered by antivirus companies like Norton and Symantec.
• • • Covert communication with Headquarters. Here, the company explains that it can infect targets and communicate back to those operating FinSpy without users knowing it. Ingenious, unethical, and, well, illegal – unless you are working for a secret agency whose activities are exempt from the law (which is, after all, a target group of Gamma).
• • • Full Skype Monitoring (Calls, Chats, File Transfers, Video, Contact List). No surprise here – Skype is used by many people who wrongly believe that it provides communications security – and the brochure gives an intriguing generic “use-case” of how FinSpy was used to monitor Skype: FinSpy was installed on several computer systems inside Internet cafés in order to monitor them for suspicious activity, especially Skype communications to foreign individuals. Using the webcam, pictures of the targets were taken while they were using the system.
Such details bring to mind stories that circulated in Egypt (where the product was sold to intelligence agencies). In June 2011, the Wall Street Journal reported that Egypt’s security service listened in on Skype communications of young dissidents and that “an internal memo from the ‘Electronic Penetration Department’ even boasted it had intercepted one conversation in which an activist stressed the importance of using Skype ‘because it cannot be penetrated online by any security device.’ ” That the means by which the Electronic Penetration Department did so was Gamma’s FinSpy certainly adds missing colour to this “use-case”; that Egypt had something called an Electronic Penetration Department in the first place paints its government in a hue of blood red.
In addition to the contract that ransacking protesters stumbled across, the Wall Street Journal also reported on a “Top Secret” memo from Egypt’s interior ministry. Dated January 1, 2011, it describes the five-month trial of a “high-level security system” produced by Gamma Group that succeeded in “hacking personal accounts on Skype.” The Journal notes that “the system was being offered for €388,604 ($559,279), including the training of four officers to use it, by Gamma’s Egyptian reseller, Modern Communication Systems.”
These revelations underscored how lucrative the market for FinSpy-like products has become. They also confirmed fears that U.S.-based NGOS like Freedom House that were training Middle East activists to use tools like Skype to secure their communications were actually instilling a false sense of security when computers are commandeered by customized trojan horses like FinSpy. (To this day, I regularly encounter activists relying on Skype and other “secure communications” tools touted by “trainers.” They should know better.)
Which brings us back to other features in Gamma’s FinSpy brochure:
• • • Recording of common communication like Email, Chats, and Voice-over-IP and Live Surveillance through Webcam and Microphone. Surveilling webcams and microphones in real time was exactly what the Chinese hackers in the GhostNet espionage campaign achieved through Ghost RAT. Here the same capabilities are being professionally repackaged and marketed. As we noted when Tracking GhostNet was published: “We are used to having computers be our window to the world; it’s time to get used to them looking back at us.”
• • • Country Tracing of Target. This feature seems superfluous in light of FinSpy’s other capabilities, but governments today face transnational networks of adversaries, and thus this is an important selling feature for agencies looking to penetrate and immobilize them. Perhaps to track them down and eliminate them.
• • • Silent Extracting of Files from Hard Disk. The silent part is interesting. Picture yourself working at your computer while files are being silently removed, without your knowledge, from your hard drive and down a fibre-optic cable.
• • • ‘Process-based Keylogger’ for faster analysis. Somewhere, each one of your keystrokes is being recorded and analyzed – as you are typing. This means not just the words you are entering into a document, but each and every password you use for what you assume are secure websites and programs – like encryption and anonymizer tools – including, of course, the master password for your computer.
• • • Live Remote Forensics on Target System. A standard reconnaissance task undertaken to provide a snapshot of a victim’s computer layout, and thus vulnerabilities, so that they can be further exploited with other pieces of malware. Given FinSpy’s other capabilities you have to wonder why this is necessary, but there you have it.
• • •
The contracts, brochures, and obscure company names in the WikiLeaks collection – as endlessly fascinating as they may be – are but a glimpse into a vast labyrinth and arms race in cyberspace. It’s wrong to describe this labyrinth as “underground” in the sense that today such attack tools are cheap and widely available, and attackers can mount their assaults at fibre-optic speed from anywhere on the planet to anywhere else; but “underground” is apt as they can also disguise their origins and mask responsibility, and, of course, the market for such products is dominated by shadowy security services. As Harvard’s Joseph Nye, who has been assistant secretary of defense and chairman of the National Intelligence Council, argues, “The cyber domain of computers and related electronic activities is a complex man-made environment, and human adversaries are purposeful and intelligent. Mountains and oceans are hard to move, but portions of cyberspace can be turned on and off by throwing a switch. It is far cheaper and quicker to move electrons across the globe than to move large ships long distances.” And it is far easier for the perpetrators to remain anonymous, hence the critiques of Eugene Kaspersky, Richard Clarke, and others, and the attacks on online anonymity itself.
War scholars have long understood that in an offence-dominant environment such as this, there is constant pressure to keep up. Fear and insecurity grow, threats lurk everywhere, and rash decisions lead to unexpected outcomes. For those in the defence and intelligence services industry this scenario represents an irresistibly attractive market opportunity. Some estimates value cyber-security military-industrial business at upwards of US$150 billion annually. Like Dwight Eisenhower’s military-industrial complex before it, the cyber-security industrial complex is intimately connected to militarization processes in the West and, in particular, the U.S. major corporate giants that arose in the Cold War, such as Boeing and Northrop Grumman, are now positioning themselves to service the cyber security market. “We’ve identified cyber as one of our four key areas for growth for the next five years,” says Tim McKnight, vice-president at Northrop’s intelligence systems division. They have been joined by dozens of little-known niche outfits like Gamma, VUPEN, and Endgame. In an era of financial austerity, with so many industries squeezed by economic downturns, the growing cyber security sector represents a golden egg.
There are numerous good reasons for a thriving cyber security market. Dynamic networks need to constantly fend off malicious software, and the private sector generally produces the most efficient and agile responses. But when twinned with the growing desire among defence and intelligence agencies (and some companies) to monitor an ever-widening range of threats and to sometimes “strike back,” the same market creates perverse dynamics. Securing cyberspace is only a part of the cyber security market: exploiting it, mining it for intelligence, and even propagating vulnerabilities that undermine and destabilize it are quickly becoming just as lucrative parts of the game.
In 2012, the satirical website the Onion
published a news video calling Facebook a “massive online surveillance program run by the CIA” and alleging “that Facebook has replaced almost every other CIA information gathering program.” The video shows testimony from a fictional deputy director of the CIA, Christopher Sartinsky: “After years of secretly monitoring the public we were astounded so many people would willingly publicize where they live, their religious and political views, an alphabetized list of all their friends, personal email addresses, phone numbers, hundreds of photos of themselves, and even status updates about what they were doing moment to moment. It is truly a dream come true for the CIA.”
Sometimes great satire is just too true. Of course, it truly is a dream come true for the CIA, and for the companies that sell social network monitoring products and services to the CIA (and other defence and intelligence agencies). When that market opportunity is combined with growing pressures on the private sector, including social network platforms themselves, to effectively police the Internet, accompanied by laws that relax independent oversight and judicial restraints, a very troubling mix of incentives emerges.
Consider Social360, a company that monitors social networks for other companies. It advertises a special “crisis-monitoring” service which aims to identify protester activities that might be threatening to companies tarnished by scandals. Although they don’t publish to whom they sell their services, one can easily imagine this service being offered to oppressive regimes threatened by popular uprisings like those that arose during the Arab Spring.
Or consider the U.K.-based ThorpeGlen Company, a world leader in the design and development of mass data analysis and storage solutions for the security sector. On July 6, 2010, the company announced that it had created the “largest social network” in the world with more than 1.2 billion nodes. “A node on a social network is a person, piece of equipment or account,” ThorpeGlen explains. “The network itself maps the linkages between nodes meaning that the flow of funds through bank accounts, the movement of people and materials within a production facility or the way in which people communicate with each other by e-mail or telephone can be visualized and analyzed.” ThorpeGlen offers little explanation about how it acquires such node information, but in a 2008 web demo, its VP of global sales showed off one of the company’s “lawful access” tools by mining a single week’s worth of call data from 50 million users in Indonesia. The purpose was to find the dissident needle in the haystack. As the London Review of Books reported:
Of the 50 million subscribers ThorpeGlen processed, 48 million effectively belonged to ‘one large group’: they called one another, or their friends called friends of their friends; this set of people was dismissed. A further 400,000 subscriptions could be attributed to a few large ‘nodes’, with numbers belonging to call centres, shops and information services. The remaining groups ranged in size from two to 142 subscribers. Members of these groups only ever called each other – clear evidence of antisocial behaviour – and, in one extreme case, a group was identified in which all the subscribers only ever called a single number at the centre of the web. This section of the ThorpeGlen presentation ended with one word: ‘WHY??’
“Why??” indeed. What does this analysis prove? Beneath the slick presentation, the demo suggests that ThorpeGlen had access to real user data in Indonesia, presumably shared with the company by cellphone and other telecommunications companies. One company, one case, one country. But doesn’t this beg two questions: how many other ThorpeGlens are out there mining our social network data? And, how many countries are doing what Indonesia and Indonesian telecom companies presumably did in 2008: share users’ data without their consent with a private company servicing law enforcement and intelligence?
• • •
In 2011, the German hacker collective, Chaos Computer Club (CCC) announced that it had discovered and examined a backdoor trojan horse made by the German company DigiTask as part of a “lawful interception” program to listen in on Internet-based communications. In Germany, courts have long allowed the use of backdoor programs to help law enforcement listen in on encrypted communications as part of legal wiretaps. However, the CCC alleged that the software went far beyond those permissible purposes, and claimed the trojan could be used to monitor Skype, Yahoo! Messenger, and MSN Messenger; log keystrokes made through Firefox, Internet Explorer, and other browsers; and take screen captures of desktops. The CCC wrote that the “State Trojan” violated German law because it could also upload and execute programs remotely. “This means, an ‘upgrade path’ from [lawful spyware] to the full State Trojan’s functionality is built-in right from the start. Activation of the computer’s hardware like a microphone or camera can be used for room surveillance. The government malware can, unchecked by a judge, load extensions by remote control, [and] use the Trojan for other functions, including but not limited to eavesdropping.”
A German lawyer said that one of his clients was infected with the trojan while travelling through a German airport. After his client was arrested the lawyer contacted the CCC, which found the infection in the client’s computer. WikiLeaks documents show that in 2008 German law enforcement was working with DigiTask to develop software that could intercept Skype phone calls. DigiTask stated that the program that the CCC found was probably a tracking program it had sold to Bavaria in 2007, and admitted that it sold similar spyware to governments throughout Europe.
The digital arms trade for products and services around “active defence” may end up causing serious instability and chaos. Frustrated by their inability to prevent constant penetrations of their networks through passive defensive measures, it is becoming increasingly legitimate for companies to take retaliatory measures. As the desire for such active defence strategies mounts, firms like CrowdStrike and Mandiant now openly go “on the hunt,” distinguishing their services by contrasting them with those of mere “protection firms.” “It’s a lot more fun to fight the adversary than to guard against him,” Mandiant company founder Kevin Mandia told NPR, citing another industry expert who says that “there are dozens, if not hundreds, of service providers doing similar things to Mandiant.”
One extremely lucrative part of this market involves the sale of fresh “exploitations” or undiscovered computer vulnerabilities not yet detected by the antivirus industry, like Gamma’s Zero Day. A 2012 Forbes magazine investigation acquired a price list of zero-day vulnerabilities, offering another peek inside this otherwise closed industry. Want a fresh exploit that will target Adobe? That will cost anywhere from $5,000 to $30,000. Mac OS X? $20,000 to $50,000. Android? $30,000 to $60,000. One exploit targeting Apple’s iOS system was reportedly sold to a U.S. agency for $250,000.
The Forbes report profiles a Bangkok middleman, “The Grugq,” who was set to earn over $1 million annually acting as a digital-age arms broker between those who engineer fresh exploitations and their purchasers, usually U.S. and European government agencies. Clearly, the burgeoning industry includes small obscure firms, lone actors, and industry giants like Northrop Grumman and Raytheon.
Of course, much of the industry is shrouded in the type of secrecy that accompanies defence, law enforcement, and intelligence agencies and their practices and markets. Entire segments of the cyber-security industrial complex operate in the shadows, reaping millions from ballooning “black budgets” that escape public scrutiny and independent oversight. An occasional leak here or there, dedicated investigative reporting, or a careless boast made by someone like “The Grugq” represent the only real chances the general public has to gain insight into this dark trade.
One of the few companies not afraid to speak out is the French-headquartered VUPEN Security, which came to prominence when its hackers won a 2012 contest sponsored by Google to see if anyone could find a vulnerability in its Chrome browser. The prize was $60,000, but in exchange for publicly disclosing the vulnerability the winner had to help Google engineers plug the holes. VUPEN surprised everyone by turning down the prize. “We wouldn’t share t
his with Google for even $1 million,” said the company’s president. “We don’t want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers.”
VUPEN says it only sells to law enforcement agencies under a nondisclosure agreement, and only then to law enforcement agencies in the NATO, ANZUS, or ASEAN alliances. This sounds principled, but it should be noted that those alliances include such luminaries of human rights non-compliance as Albania, Bulgaria, Croatia, Hungary, Romania, Slovenia, Slovakia, Spain, Indonesia, Malaysia, Thailand, Brunei, Burma, Cambodia, Laos, and Vietnam. Nonetheless, in a glossy VUPEN brochure in the WikiLeaks “Spy Files” archive, the company boasts that it “provides its customers … reports about critical vulnerabilities up to 9 months in advance before any patches are released.”
One of the other means by which researchers have tracked the growing black market industry is through job postings. In 2012, Mikko Hyppönen of the security firm F-Secure took notice of an increasing number of postings from large companies advertising for skill sets that included offensive exploitation capabilities. For example, a search by Hyppönen of the massive defence contractor SAIC’S job database using the keywords “top secret/sci” and “exploit” returned over 137 job postings. Intriguingly, a 2012 job posting at defence contractor Booz Allen Hamilton for a “target network analyst” looked to recruit someone who could “exploit development for personal computer and mobile device operating systems, including Android, BlackBerry, iPhone and iPad.”